6.2.1 Web container-based authentication functionality using DD settings
The following subsection describes the functionality that can be implemented for Web container-based authentication using the DD file (WEB-INF/web.xml) settings.
- Organization of this subsection
(1) User information management
The Web container defines, holds, and maintains the user names, passwords, and roles of users according to the user management functionality of the J2EE server.
(2) Container security and access permission management
The Web container can restrict Web clients from accessing particular URLs.
To do this, it is necessary to define the following in the DD file (WEB-INF/web.xml):
-
URL pattern for access restriction
-
Security definitions necessary for access, such as role definitions
-
Authentication method for obtaining roles defined for users
If the Web client fails to authenticate or if the user does not have the role necessary for access, any attempt to access a URL pattern for which access is restricted results in an error. Note that once authenticated, a client is not authenticated again during the valid session period.
The security definitions and authentication methods should be defined according to the DD file (WEB-INF/web.xml) specifications stipulated by Servlet API 2.3.
The Web container offers two types of authentication method: basic and form-based authentication. Both types of authentication can be defined by adding the <login-config> tag to the DD file (WEB-INF/web.xml) included in the J2EE application. For details about how to configure the J2EE application, see 6.2.2 Definitions in DD files.
- Important note
-
- When using HTTP Server or Microsoft IIS with the Web server
-
When using either Cosminexus HTTP Server or Microsoft IIS with the Web server, the Web server authentication functionality must be canceled in order to correctly provide basic authentication from the Web container.
For details, see 6.2.4 Precautions for using authentication functionalities.
- Configuring Basic authentication in web.xml
-
Specify a realm name in the <realm-name> tag. If no realm name is specified, Authentication required is used as the realm name. Specifying a null character or only a space in the <realm-name> tag is treated in the same manner as when the <realm-name> tag is omitted.
(3) Program security
If access to a servlet or JSP is restricted by basic or form-based authentication configured using the DD file (WEB-INF/web.xml), that servlet or JSP can perform fine-grained security processes at the program level by using the HttpServletRequest APIs listed below. These processes include changing the operation according to the user name and role name for the logged-in user.
-
getRemoteUser()
-
isUserInRole()
-
getUserPrincipal()
For details about these APIs, see Java Servlet Specification v2.3.